Resources

BUFFER OVERFLOW IN RSAREF2

While researching the exploitability of a buffer overflow in SSH up to version 1.2.27, we discovered a second buffer overflow in the implmementation of the RSA algorithm in RSAREF2 from RSA Data Security.

This advisory addresses the details of the bug discovered, the details are somewhat focused on the ability to exploit the bug in SSH compiled with RSAREF2, but its extensible to any software product that uses RSAREF2

In order to perform the RSA operations, the functions call the internal functions RSAPrivateBlock() and RSAPublicBlock(). RSAPrivateDecrypt() and RSAPublicDecrypt() pass a pointer to the local variable pkcsBlock to be used as the output buffer for RSAPublicBlock() and RSAPrivateBlock() respectively. The two functions then perform the RSA operations and copy the results to the output buffer using the NN_Encode() and NN_Decode() functions.

Lack of strict bounds checking and proper validation of input parameters in all these functions allows an attacker to overflow the pkcsBLock variable and overwrite the stack, making it possible to execute arbitrary commands on the vulnerable system.

Providing a suitable modulus length to RSAPrivateDecrypt() it is possible to force NN_Encode() to copy data beyond the bounds of pkcsBLock and overwrite the return address of RSAPRivateDecrypt(), gaining control of the processor and being able to execute code located elsewhere in the vulnerable program.

The exploitability of this bug in SSH comes from the fact that a bug in SSH itself <http://www.securityfocus.com/vdb/bottom.html?vid=797> discussed and published in the vuln-dev and bugtraq mailing lists, allows a remote client to provide a suitable private key to the RSAREF functions.

The same problem is present in the RSAPublicDecrypt() function, and its exploitability might be even easier, since its much easier to provide a malicious public key to any software package that supports RSA and uses the RSAREF2 implementation.

ImpactIt is possible to execute arbitrary commands as the user that runs the RSAREF2 code.

For SSH up to 1.2.27 compiled with RSAREF2 this implies the remote execution of arbitrary commands as root.

Fix informationRSA Security was contacted and replied that they don't support RSAREF2 anymore.For futher details you may contact John Linn A patch is provided below, please read carefully the file license.txt from the RSAREF2 distribution before applying it.

Vulnerable systems- - SSH up to 1.2.27 compiled with RSAREF2 (RSAREF is not compiled in by default but it's required in some cases in USA)- - Possibly any other software packages that uses RSAREF2Additional information

This vulnerability was discovered by Alberto Soliño and Gerardo Richarte at Core SDI S.A.

Copyright Notice:The contents of this advisory are copyright (c) 1999 CORE SDI S.A. and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

FixCopy de remining of this message to a file named rsaref.patch in rsaref2/source, and apply with 'patch <rsaref.patch'